Top Mistakes Financial Services Firms Must Avoid: Transforming Cybersecurity Compliance

Nov 16, 2021
Financial services companies increasingly realize that cyber-resilience is a regulatory concern, which needs a holistic approach to shield the organization. The emergence of the COVID-19 pandemic quickly made companies shift their employees to the work-from-home model, which increased the risk of cyber-attacks. For instance, according to European Commission data in June 2020, the use of finance mobile apps in Europe increased by 72% in just one week due to social distancing and lockdown restrictions. At the same time, cyber-attacks on firms soared by 38%. The key lies in strategizing smart investment in automating cybersecurity regulatory compliance. This is the only approach that can save upwards of a million dollars for a financial organization and enhance the cybersecurity compliance net on the companies.
Sanjay Bajaj
Sanjay Bajaj

Former Senior Vice President



Mark Weston
Mark Weston

Investor & Founder

Cybersecurity Regulatory Compliance
Firms are facing unprecedented times due to the impact of regulatory change on both compliance teams and business operations. New regulations, increased enforcement, and enhanced data analytics by supervisors are putting intense pressure on firms. Meanwhile, rising compliance costs are eating into the funds required for business investments. It is becoming clear that firms can no longer tackle regulatory compliance in financial services the way they have been. A change of approach is needed.
To meet these challenges successfully, financial services compliance teams need to embrace digital transformation, which involves using technology, people, and processes to fundamentally change how an organization delivers value. The return on investment of digital transformation should include enhancing customer relationships and improving operational efficiency.
It is true that compliance teams feel left out of their organization's digital transformation programs – that it is not for them or that it has passed them by. The advent of regulatory technology (RegTech ) creates an opportunity for compliance teams to engage in digital transformation and improve how technology, people, and processes deliver the right compliance outcomes. Furthermore, compliance teams that engage with digital transformation in the right way have the opportunity to accelerate their organization's overall transformation program.
Stay Ahead
Visit our Banking page
Top Mistakes to Avoid in Cybersecurity Regulatory Compliance
Cyber-resilience has become embedded in the wider concept of operational resilience, covering different types of operational disruptions in regulatory terms. The pace of changes in cybersecurity regulations is pushing up both cost and complexity for financial services firms.
According to UK Finance, a London-based financial services financial firm, one of its members received on an average 41 regulatory publications per week during 2019. Their investment in a regulatory change in the first eight months of 2019 represented 33-40% of its forecast annual business-as-usual investment budget. Some of this spending is focused on updating legacy systems. As companies move ahead in their cybersecurity regulatory compliance journey, they need to make sure they don't repeat common mistakes mentioned below:
  1. Trying to Solve the Compliance Problem by Adding More People
  2. Putting Scarce Security Talent to Work on Repetitive Compliance Tasks
  3. Not Upskilling Cyber Team in a World of Rising Threats
  4. Overburdening Cyber Team with Excessive Internal Compliance Requests
  5. Failing to Recognize that this is a Data Problem
  6. Not Reviewing and Rationalizing Cybersecurity Compliance Control Structure
#1 Trying to Solve the Compliance Problem by Adding More People
Cybersecurity is often presumed to be the responsibility of specialist security professionals, resulting in a false sense of security; excuse the pun. Adding more and more centralized security experts to handle cyber compliance allows the wider organization to not take ownership and responsibility. The real challenge is to bring cybersecurity into the mainstream and make it a part of HR policy. Cybersecurity should be central when planning, designing, and deploying new IT systems and not be given attention only at the end of such projects.
Oliver Wyman estimates that between 10% and 15% of financial services employees are now dedicated to compliance and risk management. A global shortage of financial services compliance talent across the industry means that remuneration costs are rising too, even as firms continue to struggle to fill essential roles. Automating the entire cybersecurity compliance value chain can significantly bring efficiencies into the system and release cost burdens of companies in the long run.
#2 Putting Scarce Security Talent to Work on Repetitive Compliance Tasks
Regulatory change is happening at such volume and so quickly that teams feel part of an intense marathon. There are too many projects, a scarcity of resources, and a high number of critical issues that need immediate resolution.
According to a cybersecurity workforce study commissioned by (ISC)2 in 2021, there’s a huge demand-supply gap of 359,000 cybersecurity professionas in the United States. The gap widens 9X at a global level with about three million professionals.
On average, cybersecurity roles take 21% longer to fill than other IT jobs. The deployment of AI in combination with other automation can decrease many manual tasks, making employees free of mundane tasks and focusing on other value-added tasks that need human intelligence. Tackling the issues created by regulatory change through digital transformation opens possibilities for regulatory compliance in financial services to deliver value to the business in new ways.
Top Mistakes Financial Services Firms Must Avoid: Transforming Cybersecurity Compliance
#3 Not Upskilling Cyber Team in a World of Rising Threats
With fast-paced digitalization, there have been increased instances of cybersecurity threats, requiring organizations to ensure their data and operations are not compromised. Instead of this, organizations must develop a comprehensive cybersecurity training plan that includes employees' continuous upskilling and reskilling. Companies are aware of the fact that there is a heightened need for widening employees' skillsets. In 2020, 67% of firms reported they had widened the skillset within the risk and compliance functions to accommodate fintech innovation and digital disruption developments, of which 15% had invested in specialist skills.
One US bank hired former top tech architects and cross-trained them on risk. We need to see more of these innovative approaches. Upskilling people demands a clear understanding of the specific risk-control skills they need and well-developed programs to scale the training across the organization. The emergence of cybersecurity compliance frameworks such as the National Initiative for Cybersecurity Education (NICE) and MITRE ATT&CK streamlines the skill development process by providing structure and context. With the right combination of upskilling and reskilling, organizations can best hone their existing talent skillsets and ensure greater employee satisfaction.
Top Mistakes Financial Services Firms Must Avoid: Transforming Cybersecurity Compliance
#4 Overburdening Cyber Team with Excessive Internal Compliance Requests
Cyber security regulatory requirements have increased over recent years. Changes are made ever more frequently. The time-frames for implementation are often tight. The high level of demand and organizational complexity can see the set up of an integrated finance and risk architecture taking up to ten years. According to the Banking Policy Institute, one chief information security officer indicated that he and his team spent nearly 40% of their work time reconciling various cybersecurity compliance frameworks. Automating some processes can significantly help relieve CISOs from manual operations and enhance the regulatory compliance landscape.
The Thomson Reuters Cost of Compliance report for 2020 reported that the volume of regulatory change was a challenge for firms, both at the board and compliance officer level. These concerns can sometimes overlap with the challenges firms face in terms of fintech. In 2019, TRRI captured 56,624 alerts from more than 1,000 regulatory bodies, averaging 217 updates a day. Horizon scanning and upstream risk are core elements of RegTech solutions. Applications that identify, summarize, and communicate regulatory alerts within financial services firms are readily available in the RegTech market, yet the survey identified regulatory change as a major challenge to FinTech.
An automated system can prompt CISOs to verify at regular intervals about completing crucial assessments, including the annual Cybersecurity Assessment Tool (CAT) and the Ransomware Self-Assessment Tool (R-SAT). Scheduled alerts help prompt CISOs to conduct annual incident response tests, a gap analysis, and cybersecurity training for employees and the board. Moreover, on-demand reporting can keep all stakeholders informed on the progress of their cybersecurity efforts.
#5 Failing to Recognize that this is a Data Problem
Although many banks are developing better and more consistent data architectures, they still struggle with the processes needed to support them. Moreover, storing only the data required to comply with regulatory requirements is the data repository in a structured manner falls short of the mark. Data veracity and lineage are vitally important when attesting to external regulatory authorities. If the organization does not take this end-to-end view data quality is not sustainably secured, process efficiencies cannot be achieved, and the benefit of having a central database is minimal. At the same time, making the most of new technologies - e.g. machine learning and predictive analytics - becomes more difficult.
Data management remains a top challenge for firms on their compliance journey, with long-standing MiFID II data quality issues, as reported regularly by the regulator, who is becoming highly stringent every passing day. So, when considering automation, it is essential to ensure that this project starts and ends with data. Compliance data requirements must be defined, sources of data identified, data accurately and efficiently ingested to generate a high-quality outcome. The organization then needs to make sure the data is cleansed, normalized, and indexed correctly and continues to check data quality on an ongoing basis. It should also monitor any changes to the data – made by humans or machines – and ensure that those changes can be audited and 'time traveled', i.e., one can go back to any point in time to see what the data looked like.
World-class regulatory reporting is built on the foundation of data governance and management. For financial seeking to firms automate regulatory processes, oversight, alerting, and reporting, high-quality data are essential. Yet, this is an area where much of the financial services industry continues to struggle. Working with the right platform is essential to meet the exacting standard of data quality.
#6 Not Reviewing and Rationalizing Cybersecurity Compliance Control Structure
Many financial organizations struggle to avoid managing their governance, risk, and compliance initiatives in siloes, with each process being managed separately even if reporting needs are overlapping. Sooner or later it becomes obvious that multiple risk and compliance initiatives become intertwined from the regulatory, organizational, process and data perspectives. This makes compliance even more burdensome, slower, more resource intensive and expensive.
Companies can rationalize cybersecurity compliance control structure by adopting the Governance, Risk, and Compliance (GRC) Framework approach and adopting a unified system. It eliminates all redundant work in various initiatives and duplicative software, hardware, training, and rollout costs as multiple governance, risk, and compliance initiatives can be managed with one approach. It also provides a "single version of the truth" available to employees, management, auditors, and regulatory bodies. Implementing a one size fits all software solution can work in smaller organizations but for larger organizations a modular best of breed approach is often the optimal approach.
Cyber Resilience
The Road to Future
Financial firms need to channel their resources and energies to overhaul their cybersecurity regulatory compliance processes, which can only be achieved by implementing the latest regulatory technology tools. The fast-paced growth in RegTech offers an incredible opportunity for compliance teams to engage in digital transformation, to improve the way technology, people, and processes deliver the right compliance outcomes.
Notably, many forward-looking companies have started taking these initiatives, and the COVID-19 pandemic has also pushed the shift to a greater extent. As we move towards the New Normal, financial firms need to remember that the challenges will only increase from here on; the sooner organizations secure their operational systems, the better it is for them, their customers, and the financial sector as a whole.
Was this article helpful?